Upload
jevon-tibbits
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
NERC Physical SecurityStandard CIP-014-1
Allan Wick, CFE, CPP, PSP, PCI, CBCP
Chief Security Officer
WECC Joint Meeting October 8, 2014
Project Overview
The FERC directed NERC to submit proposed physical security reliability standards to the Commission within 90 days of the date of the March 7, 2014 order.
Only a relatively small number of Transmission Owners and Transmission Operators will need to comply with the entire Standard (25).
Includes confidentiality requirements. Three step process.
Standard Highlights
Background• The Reliability Standard addresses the directives from the
FERC order issued March 7, 2014, Reliability Standards for Physical Security Measures, 146 FERC ¶ 61,166 (2014), which required NERC to develop a physical security reliability standard(s) to identify and protect facilities that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.
• Drafted as Critical Infrastructure Protection (CIP) family of standards.
Standard Highlights
Requirements R1-R3• Perform risk assessments to identify Transmission stations and Transmission
substations that meet the “medium impact” criteria from CIP-002-5.1, and their associated primary control centers, then
• Arrange for a third party verification of the identifications; and• Notify Transmission Operators of identified primary control centers that
operationally control the verified Transmission stations and Transmission substations.
• The requirements provide the periodicity for satisfying these obligations. Only an entity that owns or operates one or more of the identified facilities has further obligations in Requirements R4 through R6. If an entity identifies a null set after applying Requirements R1 through R2, the rest of the standard does not apply.
• Transmission Owner shall implement procedures, such as the use of non-disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party verifier and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure.
Standard Highlights
Requirements R4-R6• The evaluation of potential threats and vulnerabilities of a
physical attack to the facilities identified and verified according to the earlier requirements,
• The development and implementation of a security plan(s) designed in response to the evaluation, and
• A third party review of the evaluation and security plan(s).• Transmission Owner shall implement procedures, such as the
use of non-disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party verifier and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure.
Key Dates
Final Ballot Closed May 5 – Passed 85% NERC BOT Adopted May 13, 2014 FERC BOD Proposed Approved July 17, 2014
Two directives, FERC add/delete & instability vs. widespread instability
45 day comment period, September 8, 2014
Effective the first day of the first calendar quarter that is six months beyond the date that the standard is approved by applicable regulatory authorities, ….
Implementation Plan
The initial performance of CIP 014 1, Requirements R2 ‐ ‐through R6, must be completed according to the timelines specified in those requirements after the effective date of the proposed Reliability Standard, as follows:
Requirement R2 shall be completed as follows:Parts 2.1, 2.2, and 2.4 shall be completed within 90
calendar days of the effective date of the proposed Reliability Standard.
Part 2.3 shall be completed within 60 calendar days of the completion of performance under Requirement R2 part 2.2.
Implementation Plan
Requirement R3 shall be completed within 7 calendar days of completion of performance under Requirement R2.
Requirements R4 and R5 shall be completed within 120 calendar days of completion of performance under Requirement R2.
Requirement R6 shall be completed as follows:Parts 6.1, 6.2, and 6.4 shall be completed within 90
calendar days of completion of performance under Requirement R5.
Part 6.3 shall be completed within 60 calendar days of Requirement R6 part 6.